Stay current with our daily newsflash.

Raw Data: Encryption Flaw Makes Phones Possible Accomplices in Theft

If your identity has been stolen, your phone may have been an accomplice to the crime. A German mobile security expert says he has found a flaw in the encryption technology used in some SIM cards, the chips in handsets, that could enable cyber criminals to take control of a person's phone.

Karsten Nohl, founder of Security Research Labs in Berlin, said the encryption hole allowed outsiders to obtain a SIM card's digital key, a 56-digit sequence that opens the chip up to modification. With that key in hand, Mr. Nohl said, he was able to send a virus to the SIM card through a text message, which let him eavesdrop on a caller, make purchases through mobile payment systems and even impersonate the phone's owner.

He said he had managed the whole operation in about two minutes, using a simple personal computer. He estimates as many as 750 million phones may be vulnerable to attacks.

"We can remotely install software on a handset that operates completely independently from your phone," Mr. Nohl said. "We can spy on you. We know your encryption keys for calls. We can read your S.M.S.'s. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account."

Mr. Nohl is well known in security circles. In 2009, he published a software tool that computes the 64-bit key used to encrypt conversations on GSM networks, prompting the industry to adopt better safeguards. His company, Security Research Labs, advises German and U.S. multinational companies on mobile security issues.

Mr. Nohl said the flaw he had discovered was the result of an encryption method developed in the 1970s called data encryption standard, or D.E.S. After uncovering the breach, he researched the pervasiveness of the problem by testing about 1,000 SIM cards on cellphones running on mobile networks in Europe and North America over a two-year period. The phones and SIM cards were owned and used by himself and members of his research team. Mr. Nohl said that about one-quarter of the SIM cards running the older encryption technology exhibited the flaw.

D.E.S. encryption is used on about half of the about six billion cellphones in use daily. Over the past decade, most operators have adopted a stronger encryption method, called Triple D.E.S., but many SIM cards still run the old standard. The encryption is used to disguise the SIM card, and thus a mobile phone's unique digital signature.

Mr. Nohl has shared the results of his two-year study with the GSM Association, an organization based in London that represents the mobile industry, through a process of "responsible disclosure." On Aug. 1, he plans to present the full details of his research at the Black Hat conference, a computer hackers gathering, in Las Vegas.

In a statement, a GSM Association spokeswoman, Claire Cranton, said Mr. Nohl had sent the association outlines of his study, which the organization had passed along to operators and to makers of SIM cards that still relied on the older encryption standard.

"We have been able to consider the implications and provide guidance to those network operators and SIM vendors that may be impacted," Ms. Cranton said. She added that it was likely only a minority of phones using the older standard "could be vulnerable."

Ms. Cranton declined to comment on Mr. Nohl's estimate that 750 million cellphones might be open to attack, saying the association would not comment until it had reviewed Mr. Nohl's full research findings in Las Vegas. A large maker of SIM cards, the Dutch company Gemalto, said the GSM Association had told it of Mr. Nohl's preliminary findings. A second maker of SIM cards, the German company Giesecke & Devrient, said it had "analyzed this attack scenario."

Gemalto has been working closely with the association and other industry groups "to look into the first outline given by Mr. Nohl," Gemalto said in a statement. The company said the GSM Association had already disseminated Mr. Nohl's findings to group members.

Mr. Nohl was able to derive the SIM card's digital key by sending an SMS disguised as having been sent from the mobile operator. Carriers routinely send specially coded messages to handsets to validate customers' identities for billing and mobile transactions.

For each message, the network and the phone verify their identities by comparing digital signatures. The message sent by Mr. Nohl deliberately used a false signature for the network. In three-quarters of messages sent to mobile phones using D.E.S. encryption, the handset recognized the false signature and ended communication.

But in a quarter of cases, the phone broke off the communication and sent an error message back to Mr. Nohl that included its own encrypted digital signature. The communication provided Mr. Nohl with enough information to derive the SIM card's digital key.

Mr. Nohl said he had advised the GSM Association and chip makers to use better filtering technology to block the kind of messages he had sent. He also advised operators to phase out SIM cards using D.E.S. encryption in favor of newer standards. He added that consumers using SIM cards more than three years old should get new cards from their carriers.

Giesecke & Devrient, in a statement, said that it had begun phasing out SIM cards using D.E.S. encryption in 2008. The German company said the unique operating system used in its SIM cards, even those running D.E.S. encryption, would prevent a phone from inadvertently sending the kind of "message authentication code" that Mr. Nohl had used to pierce the encryption.

Mr. Nohl said he was not planning to disclose the identities of the operators whose SIM cards had performed poorly in his study at the Black Hat conference in August. But he said that he planned to publish a comparative list of SIM card security by operator in December at a computer hackers' conference in Hamburg, Germany, called the Chaos Communication Congress.